As you can see from the code I have commented out, I have tried everything possible to get this working and the only thing that works is if I set the password directly. I am trying to use the RSA private key generated, but I keep getting an auth fail.

I have added the public key to the list of authorized keys on the target server. And there is no passphrase.

Is there something else I am supposed to do? Like say, while generating the keys? Is there a step I am missing?

2 Answers
2

Make sure the necessary files exist (id_rsa and id_rsa.pub on the client, authorized_keys on the server). Make sure you can use public key authentication with another tool, like ssh, using these files.

If that looks alright, the problem may be with your Java security provider. Read on if you think you have the right files in place.

There are different formats for RSA private key storage, and SSH uses one that is not standard. Most providers expect something called a CRT RSA key, and when JSch doesn't give them a key in that format, they raise an exception which JSch silently eats and goes on to the next authentication method.

Update: I did some checking around, and as of Java 5, the SunPKCS11 provider is installed with the highest precedence on Solaris systems, for performance. Since I don't run Solaris, I can't test it, but I believe this may be causing the problem.

JSch doesn't allow you to specify the provider to use for this operation through its API, so you will have to change the precedence of the installed providers. In fact, I'd suggest trying to remove the SunPKCS11 from this application; run this code once when your application starts up:

The provider is SunPKCS11-Solaris. I made sure that those keys exist and was able to sftp and ssh using those keys (i.e. no password/passphrase). But, with jsch, it gives me this exception. How do I ensure that the format is the way it needs to be?
–
roymustang86Dec 5 '11 at 19:58

@roymustang86 Okay, that is strange. By default, an Oracle JVM should be using the SunRsaSign provider to create RSA keys, and it can handle this case. The PKCS11 provider is pluggable, so it could be anything, but normally you'd use it with keys stored in hardware, like a smart card. If you have a smart card reader or hardware crypto module on your system, maybe the PKCS11 provider has been configured as first choice, and that could indeed be causing the problem. List your providers like this: for (Provider p : Security.getProviders()) System.out.println(p.getName());
–
ericksonDec 5 '11 at 20:28

The list is in the following order : SunPKCS11-Solaris SUN SunRsaSign SunJSSE SunJCE SunJGSS SunSASL
–
roymustang86Dec 5 '11 at 21:01

Have you have copied the key into the file $HOME/.ssh/authorized_keys on the target server? If so, you should probably mention that. If not, that is required for this to work. Also, are you generating the key without a password? If the private key is password protected, you will need to provide that password to addIdentity.

After verifying those things, I'd recommend trying to connect via the command line using OpenSSH, as the Java code you have here looks correct. If the command line does not work, invoke it with -vvv to get verbose output about what it is doing. It is possible that the server is configured with PubkeyAuthentication set to no.